WCF authentication "friendly" to non-Microsoft clients?

views:

189

answers:

WCF authentication "friendly" to non-Microsoft clients?

An exploratory question, here. After some reading, I'm getting a sinking feeling that WCF's authentication options aren't "friendly" to non-Microsoft clients, or require a great deal of effort to implement. I'm building a REST WCF service for which I wanted some kind of simple digest authentication; e.g. I store a username and password in Web.config and share that with the team that will use the service. The team that will consume this service is a legacy shop not versed in Microsoft tooling or helpers; e.g. ANSI C/C++, PHP, etc.

Anyway, MSDN tells me that digest authentication requires that the server be in a domain. I don't want or need this service to be in a domain. That seems like an odd requirement. So I dismissed that option.

So I read about NTLM and Windows authentication, but I worry that I'd be imposing a burden on the other team by only supporting Microsoft-flavored, proprietary authentication methods; won't they have to put forth a lot more effort to code against such a service? These methods seem intrinsically tied to concepts like Windows domains and user accounts, etc.

+1 A:

Windows Authentication is intended for use in intranet services where there is a domain controller you can use to manage your credentials and authorization.

You need to check the Forms Authentication, that will probably meet your needs.

Am 2009-11-20 23:12:54

This is a WCF (web service) question.

Pavel Minaev 2009-11-20 23:17:35

I think it is still relevant, since the technique talks about how to implement it, not only on having a _Form with submit button_

Am 2009-11-20 23:20:35

Maybe a more WCF link would help: http://msdn.microsoft.com/en-us/library/bb386582.aspx .

Tuzo 2009-11-23 05:51:01

The Forms Authentication approach seems to depend on IIS. I have to consider that this WCF service may be service-hosted rather than IIS-hosted.

Jeff Stewart 2009-11-23 20:52:09

+1 A:

If you just look for "friendliness" then you can go for basic authentication which is pretty much supported everywhere.

However, unless that is coupled with some kind of transport level encryption then passwords will be transferred in clear text - a pretty bad situation security-wise.

NTLM and kerberos authentication is supported by several non-WCF technologies does but a burden/requirement on the environment in which the are used.

You could look into some kind of message level authentication meaning that the credentials will be part of the message instead of handled by the transport. WCF supports the WS-* specifications that relate to message level security. Those specifications are again not tied to WCF or Windows.

I sounds like the simplest way in your setup would be to use basic authentication and use HTTPS for the transport.

HakonB 2009-11-20 23:18:44

Past experience has had me favor digest over basic authentication without much thought, but it may indeed be the best route here. I was under the impression that digest authentication was a good (not perfect) solution for avoiding cleartext credential transmission *and* avoiding transport encryption. I'm baffled as to why it's such a "special case" in WCF. Why on *Earth* would you need a domain to do it?

Jeff Stewart 2009-11-23 20:38:52

WCF's digest authentication validates users against the AD. Please see http://blogs.msdn.com/drnick/archive/2006/05/12/understanding-http-authentication.aspx for more information

HakonB 2009-11-23 21:02:20

ansaurus

tags:

views:

answers:

WCF authentication "friendly" to non-Microsoft clients?

related questions